Consider legal implications when using cloud for email

I often have CIOs ask me my opinion about putting e-mail in the public cloud. My answer is pretty simple, check with your lawyers. Indeed the issue is not technical, but has to do with ownership of e-mails and what can happen to them.

Now what has this story to do with e-mail in the cloud? Well, if your e-mail happens to be on one of the servers that have been sized by the FBI…., bad luck, it’s gone to the authorities. This is the clash between the physical and the virtual world. Justice needs “ physical evidence” and I stress the term physical. In the cloud everything is increasingly virtual. Information is scattered over multiple physical enclosures, mixed with information from others. And that is precisely where the problem is. In their need to seize physical evidence, authorities not only get the information they are looking for, but also many other information items not related with the case.

There is no trustworthy mechanism in place for cloud service providers to hand over the information authorities request for their case. And this leads to cases such as this one. As the New York Times reports, many customers were really unhappy.

Actually, it seems the FBI has been quite gracious as it could have considered the whole datacenter as a crime scene, specifically if the service provider was not able to show proof that they could pinpoint the exact devices, locations and files/images that were hacked, one of my sources tells me.

Mirroring your cloud environment in two datacenters could obviously address this, but adds to the cost. Scenarios such as the one above should be included in the risk management I discussed in a previous blog entry.

To come back to e-mail, scenarios such as the above may put your data into the hands of authorities without your will, but there is also another aspect. Who owns your e-mails when they are stored in the cloud? What happens if your mail is in the cloud and you are subject to a subpoena? Who will decide whether the information is handed over or not? ZDNet published an interesting article, titled Microsoft: “We can hand over Office 365 data without your permission”. They actually recognize that: “In a limited number of circumstances, Microsoft may need to disclose data without your prior consent, including as needed to satisfy legal requirements, or to protect the rights or property of Microsoft or others (including the enforcement of agreements or policies governing the use of the service).” And the article describes how data can travel between regions without the customer being advised, making compliance to regional legislation more complicated.

In the many contacts I’ve had with CIOs all over the globe, I have been astonished to see that many of them decide to use public cloud services for e-mail, collaboration and other functions without thinking through these points. My advice remains the same, discuss these scenarios with your lawyers first as there might be serious implications for the company. And it may end up costing the company way more than the saving gained by using the service in the first place. The industry needs to work with authorities to find a solution that is acceptable to all parties. While the industry absolutely wants to help authorities addressi crime successfully, they want to avoid subjecting innocent customers from the wrong-doings of others.

In the meantime, keep this in the back of your mind, and if you have to make a decision whether to use a public cloud service or not, make sure you get proper legal advice.

Judy and John, yes times are interesting, and the cloud thinking continues to be chellenged with unexpected events. Actually the FBI case was not the only one. A cloud service provider in Italy got a similar experience when one of its customers got a subpoena to release their e-mails. Due to the virtual nature of storage in the cloud and the judicial requirement for physical evidence, many other customers, including a couple swiss companies, got their e-mail made available to the judges. In my mind it's partly to do with the fact the laws are not really in line with the new technologies that appear. So, still loads of space for improvement.

Christian, interesting post. I read in my local Sunday newspaper that AP reports LulzSec announced via Twitter that it is disbanding. Who knows if the report will bear truth in the long run. In order to go out in a big way, the group released documents it claims it had hacked from AT&T. Earlier this week it hacked into the Department of Public Safety records in Arizona where I live--and the claim is that the hacking group has home phone numbers and other personal information on officers. Arizona DPS says the breach came through an email system with weak password requirements. The lesson from all this is that we need to take computer security much more seriously, in spite of the fact that the name Lulz is supposedly a twist on the Internet acronym LOL, "laughing out loud." Computer security is no laughing matter.

Reading Christian's post is enough to scare any company to pull back on pulling back on cloud e-mail. But the FBI's server seizure seemed like a ham-handed fishing expedition. They take 10 servers when in theory, DigitalOne officials could have told investigators that what they were looking was on this or that server. It's like the FBI getting a warrant to search your car and searching every car in the adjacent neighborhood. Also, the FBI could be opening itself to some lawsuits.

But you raise another excellent point: what else do they find beyond what they expected to find? It is a lawerly subject, indeed.

The overall cost of IT for organizations running global data center operations is significant. But recently, even the largest organizations have seen the shift to cloud delivery models, and the challenges involved with mobility and Big Data. Your data center is not only challenged with IT operations, but with your facilities operations as well. This white paper describes the need for holistic management across both IT and data center facilities to gain better operational efficiency, business continuity, and business agility.

Provided by HP AND INTEL®Converged systems represent a way to simplify your IT infrastructure – but what are the key questions to ask vendors? Read this IDC Analyst Connection Q&A to see what key issues customers should be considering when evaluating next-generation platforms. You will learn what factors to consider when evaluating vendors and the differences between complete solutions and integrated solutions.Intel® and the Intel® logo are trademarks of Intel® Corporation in the U.S. and/or other countries.

Provided by HP AND INTEL®Many of the key challenges facing IT are related to the complexity of the IT environment, which leads to cost and inefficiencies. Read this Q&A to see why IDC believes that in the longer run, the vendors that will gain material converged systems market share advantage will be those that seamlessly integrate management automation, monitoring, and optimization functions within the converged systems stack.Intel® and the Intel® logo are trademarks of Intel® Corporation in the U.S. and/or other countries.

Provided by HP AND INTEL®Infrastructure convergence or Fabric-based Infrastructure (FBI) has become a mainstream trend in the IT industry, supported by every major systems vendor. This report from Gartner goes beyond the hype and takes a very strategic and pragmatic approach to help enterprises answer the question “is Converged Infrastructure right for me?” Read on for 12 key factors to consider when evaluating the potential value of Fabric-based infrastructure.Intel® and the Intel® logo are trademarks of Intel® Corporation in the U.S. and/or other countries.

Provided by HP AND INTEL®Compatibility with existing infrastructure and system functionality are the highest impact drivers among IT decision-makers when they are selecting a vendor for CI solutions. Service and support, providing a foundation for cloud computing and other factors are considered "price of entry" capabilities for prospective CI vendors among IT decision-makers. Download this white paper to learn more. Intel® and the Intel® logo are trademarks of Intel® Corporation in the U.S. and/or other countries.

Provided by HP AND INTEL®Over the last two decades, IT has served as an integrator of technology. But in the last four years, cloud computing, the consumerization of IT, the explosion in mobile computing, skyrocketing amounts of data and increased business complexity have changed the equation for IT. The old model will no longer work. Read on to explore the ten reasons why you should move to HP Converged Infrastructure now.Intel® and the Intel® logo are trademarks of Intel® Corporation in the U.S. and/or other countries.

Provided by HP AND INTEL®The most widely accepted approach for solving legacy data center constraints is IT convergence. This white paper explains how to fully obtain the benefits of convergence such as greater efficiency, innovation, agility, lower costs, and reduced complexity.HP is the sponsor of this material.Intel® and the Intel® logo are trademarks of Intel® Corporation in the U.S. and/or other countries.

Provided by HP AND INTEL®On behalf of HP, Forrester Consulting conducted research regarding the acceptance and benefits of converged infrastructure (CI) among medium-size to very large enterprises during the second quarter of 2013. The findings confirm Forrester's original thesis that CI has been steadily gaining acceptance as an enterprise infrastructure foundation for a variety of applications, including as a foundation for private cloud and large-scale virtualization environments. In addition to supporting the fundamental thesis that CI offerings have matured and their...